SYN CookieÔ­Àí¼°ÆäÔÚLinuxÄÚºËÖеÄʵÏÖ

¸ÅÊö
ÔÚÄ¿Ç°ÒÔIPv4Ϊ֧³ÅµÄÍøÂçЭÒéÉϴµÄÍøÂç»·¾³ÖУ¬SYN FloodÊÇÒ»Öַdz£Î£ÏÕ¶ø³£¼ûµÄDoS¹¥»÷·½Ê½¡£µ½Ä¿Ç°ÎªÖ¹£¬Äܹ»ÓÐЧ·À·¶SYN Flood¹¥»÷µÄÊֶβ¢²»¶à£¬¶øSYN Cookie¾ÍÊÇÆäÖÐ×îÖøÃûµÄÒ»ÖÖ¡£SYN CookieÔ­ÀíÓÉD. J. BernstainºÍ Eric Schenk·¢Ã÷¡£Ôںܶà²Ù×÷ϵͳÉ϶¼Óи÷ÖÖ¸÷ÑùµÄʵÏÖ¡£ÆäÖаüÀ¨Linux¡£±¾Îľͷֱð½éÉÜÒ»ÏÂSYN Flood¹¥»÷ºÍSYN CookieµÄÔ­Àí£¬¸üÖØÒªµÄÊǽéÉÜLinuxÄÚºËÖÐʵÏÖSYN CookieµÄ·½Ê½¡£×îºó£¬±¾Îĸø³öÒ»ÖÖÔöÇ¿Ä¿Ç°LinuxÖÐSYN Cookie¹¦ÄܵÄÏë·¨¡£
Ò» SYN Flood¹¥»÷
SYN Flood¹¥»÷ÊÇÒ»ÖÖµäÐ͵ľܾø·þÎñÐÍ£¨Denial of Service£©¹¥»÷¡£Ëùν¾Ü¾ø·þÎñÐ͹¥»÷¾ÍÊÇͨ¹ý½øÐй¥»÷£¬Ê¹Êܺ¦Ö÷»ú»òÍøÂç²»Äܹ»Á¼ºÃµÄÌṩ·þÎñ£¬´Ó¶ø¼ä½Ó´ïµ½¹¥»÷µÄÄ¿µÄ¡£
SYN Flood¹¥»÷ÀûÓõÄÊÇIPv4ÖÐTCPЭÒéµÄÈý´ÎÎÕÊÖ£¨Three-Way Handshake£©¹ý³Ì½øÐеĹ¥»÷¡£´ó¼ÒÖªµÀЭÒé¹æ¶¨£¬Èç¹ûÒ»¶ËÏëÏòÁíÒ»¶Ë·¢ÆðTCPÁ¬½Ó£¬ËüÐèÒªÊ×ÏÈ·¢ËÍTCP SYN °üµ½¶Ô·½£¬¶Ô·½ÊÕµ½ºó·¢ËÍÒ»¸öTCP SYN+ACK°ü»ØÀ´£¬·¢Æð·½ÔÙ·¢ËÍTCP ACK°ü»ØÈ¥£¬ÕâÑùÈý´ÎÎÕÊ־ͽáÊøÁË¡£ÎÒÃÇ°ÑTCPÁ¬½ÓµÄ·¢Æð·½½Ð×÷"TCP¿Í»§»ú£¨TCP Client£©"£¬TCPÁ¬½ÓµÄ½ÓÊÕ·½½Ð×÷"TCP·þÎñÆ÷£¨TCP Server£©"¡£ÖµµÃ×¢ÒâµÄÊÇÔÚTCP·þÎñÆ÷ÊÕµ½TCP SYN request°üʱ£¬ÔÚ·¢ËÍTCP SYN+ACK°ü»ØTCP¿Í»§»úÇ°£¬TCP·þÎñÆ÷ÒªÏÈ·ÖÅäºÃÒ»¸öÊý¾ÝÇøרÃÅ·þÎñÓÚÕâ¸ö¼´½«ÐγɵÄTCPÁ¬½Ó¡£Ò»°ã°ÑÊÕµ½SYN°ü¶ø»¹Î´ÊÕµ½ACK°üʱµÄÁ¬½Ó״̬³ÉΪ°ë¿ªÁ¬½Ó£¨Half-open Connection£©¡£
ÔÚ×î³£¼ûµÄSYN Flood¹¥»÷ÖУ¬¹¥»÷ÕßÔÚ¶Ìʱ¼äÄÚ·¢ËÍ´óÁ¿µÄTCP SYN°ü¸øÊܺ¦Õߣ¬Õâʱ¹¥»÷ÕßÊÇTCP¿Í»§»ú£¬Êܺ¦ÕßÊÇTCP·þÎñÆ÷¡£¸ù¾ÝÉÏÃæµÄÃèÊö£¬Êܺ¦Õß»áΪÿ¸öTCP SYN°ü·ÖÅäÒ»¸öÌض¨µÄÊý¾ÝÇø£¬Ö»ÒªÕâЩSYN°ü¾ßÓв»Í¬µÄÔ´µØÖ·£¨ÕâÒ»µã¶ÔÓÚ¹¥»÷ÕßÀ´ËµÊǺÜÈÝÒ×αÔìµÄ£©¡£Õ⽫¸øTCP·þÎñÆ÷ϵͳÔì³ÉºÜ´óµÄϵͳ¸ºµ££¬×îÖÕµ¼ÖÂϵͳ²»ÄÜÕý³£¹¤×÷¡£
¶þ SYN CookieÔ­Àí
SYN CookieÊǶÔTCP·þÎñÆ÷¶ËµÄÈý´ÎÎÕÊÖЭÒé×÷һЩÐ޸ģ¬×¨ÃÅÓÃÀ´·À·¶SYN Flood¹¥»÷µÄÒ»ÖÖÊֶΡ£ËüµÄÔ­ÀíÊÇ£¬ÔÚTCP·þÎñÆ÷ÊÕµ½TCP SYN°ü²¢·µ»ØTCP SYN+ACK°üʱ£¬²»·ÖÅäÒ»¸öרÃŵÄÊý¾ÝÇø£¬¶øÊǸù¾ÝÕâ¸öSYN°ü¼ÆËã³öÒ»¸öcookieÖµ¡£ÔÚÊÕµ½TCP ACK°üʱ£¬TCP·þÎñÆ÷ÔÚ¸ù¾ÝÄǸöcookieÖµ¼ì²éÕâ¸öTCP ACK°üµÄºÏ·¨ÐÔ¡£Èç¹ûºÏ·¨£¬ÔÙ·ÖÅäרÃŵÄÊý¾ÝÇø½øÐд¦ÀíδÀ´µÄTCPÁ¬½Ó¡£
´ÓÉÏÃæµÄ½éÉÜ¿ÉÒÔ¿´³ö£¬SYN CookieµÄÔ­Àí±È½Ï¼òµ¥¡£µ½Êµ¼ÊµÄÓ¦ÓÃÖУ¬ËüÓжàÖÖ²»Í¬µÄʵÏÖ·½Ê½¡£
Èý LinuxÄÚºËÖеÄSYN CookieʵÏÖ
LinuxÄÚºËÖжÔSYN Flo